Critical Infrastructure Security,
Cybercrime,
Fraud Management & Cybercrime
Forescout Warns That Today’s Hacktivists Could Represent Tomorrow’s Threats
A pro-Russian hacktivist group announced on Telegram their alleged infiltration of a Western water treatment facility. However, security firm Forescout clarified that the group, known as TwoNet, had actually breached a honeypot set up by researchers.
Forescout noted that TwoNet, which recently emerged, seemed to celebrate a successful attack by displaying the message “HACKED BY BARLATI, FUCK” on a human-machine interface (HMI) of a water utility’s login page.
It is worth noting that TwoNet appears to have disbanded as of September 30, with its primary social media accounts, “BARLATI” and “DarkWarios,” going silent. This situation exemplifies the transient nature of such online groups, where operators often rebrand or shift alliances, continuing their activities under new identities.
The method of intrusion began from an IP address linked to a German hosting provider, which has an unremarkable history concerning hacking incidents. The initial access to the HMI was gained by using default credentials, specifically admin and admin. Following this, the attacker executed SQL queries to extract the database schema and created a new user account for “BARLATI,” subsequently exploiting an identified vulnerability, CVE-2021-26829, to alter the login page.
Analysis of communications from TwoNet’s deactivated Telegram channel reveals a trajectory from initial DDoS ambitions to a broader array of activities. These included attempts to breach HMI or SCADA interfaces of critical infrastructure in nations deemed adversarial. They also purported to sell a new form of ransomware; however, Forescout researchers expressed skepticism about the credibility of this offer.
Further claims made by TwoNet included purported access to SCADA systems in Poland, with operators engaging in what Forescout describes as “signal-boosting”—the frequent reposting of messages from other hacktivist entities.
The evolving focus of TwoNet suggests a growing interest among state-aligned hacktivist groups in infiltrating critical infrastructure. While many of their claims, such as the recent water utility hack and another pro-Iranian group’s unsubstantiated assertion regarding India’s nuclear capabilities, have been proven exaggerated, it is vital not to underestimate their potential. Forescout cautioned that misidentified targets or overstatements do not render these groups harmless; instead, they signal a developing threat landscape.
